|
521
|
4.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invoc…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-41350
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
522
|
5.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-enc…
New
|
CWE-294
Authentication Bypass by Capture-replay
|
CVE-2026-41351
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
523
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials …
New
|
CWE-862
Missing Authorization
|
CVE-2026-41352
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
524
|
8.1 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and…
New
|
CWE-472
External Control of Assumed-Immutable Web Parameter
|
CVE-2026-41353
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
525
|
3.7 |
LOW
Network
|
-
|
-
|
OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers ca…
New
|
CWE-706
Use of Incorrectly-Resolved Name or Reference
|
CVE-2026-41354
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
526
|
7.3 |
HIGH
Local
|
-
|
-
|
OpenShell before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute …
New
|
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-41355
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
527
|
5.4 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing…
New
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-41356
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
528
|
3.3 |
LOW
Local
|
-
|
-
|
OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by leve…
New
|
CWE-214
Invocation of Process Using Visible Sensitive Information
|
CVE-2026-41357
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
529
|
5.4 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through …
New
|
CWE-346
Origin Validation Error
|
CVE-2026-41358
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
530
|
7.1 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence setti…
New
|
CWE-269
Improper Privilege Management
|
CVE-2026-41359
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
